mastering the cyber security skills crisis...cyber security should be viewed more like engineering...
TRANSCRIPT
ACCS DISCUSSION PAPER NO. 4Adam P. Henry August 2017
Mastering the Cyber Security Skills Crisis: Realigning Educational Outcomes to Industry Requirements
Mastering the Cyber
Security Skills Crisis:
Realigning Educational Outcomes
to Industry Requirements
Adam P. Henry
ACCS DISCUSSION PAPER NO. 4
AUGUST 2017
i
Abstract
The cyber security skills crisis is a key policy issue in many countries, and governments look
in part to universities to address it. This paper addresses one narrow question to see how it
speaks to the broader challenges: are current Master of Cyber Security programs in Australia
preparing students for the workforce? This research flags a new direction for further, much
needed research rather than claim to be an exhaustive analysis. The paper outlines cyber
security education as being multi-faceted and multidisciplinary and then identifies current gaps
in university-based offerings. It pursues several lines of investigation. The first approach is to
scope the field. To do that, and following a brief literature review, the paper proposes a new
multi-level matrix, the Cyberspace Education Framework. This framework allows a high-level
comprehensive view of cyberspace education. The paper then investigates current generalist
master’s programs in Australia and the proposition that mission-specific and purpose-driven
courses may better prepare students and address the skills crisis than generalist degrees. A
survey of cyber security master’s students at one university campus and subsequent discussions
with other stakeholders revealed a contrast between expectations. The paper then compares the
current educational learning outcomes of Master’s programs in Australia with the knowledge,
skills and abilities (KSA) set out in the U.S. Government’s work standards document as a proxy
for what would be required for five cyber work roles of high national importance to Australia.
It reveals only modest alignment (around 50 per cent) between the several Australian Master’s
degrees reviewed and U.S. benchmark KSAs, compared with a 97 per cent alignment with
them for a specialised Master’s degree at University College Dublin. UNSW Canberra does
score a 77 per cent alignment for one U.S. identified role with one of its more specialised
degrees, and Edith Cowan scores a 67 per cent alignment in the same role (cyber defence
incident investigator). The paper concludes that the requirement for purpose-driven and
mission-specific cyber security education is increasing and recommends that this become a
focus of new initiatives in cyber security education. Universities have an obligation to work
with industry and government to ensure that cyber security programs are more directly
preparing students for the workforce. That will give Australia more chance to become cyber
resilient and an opportunity to become a global leader in cyber security education.
ACCS Discussion Paper Series
The ACCS Discussion Paper Series is a vehicle to subject the research of scholars affiliated
with the Centre to further review and debate prior to the finalisation of research findings in
more formal scholarly outlets, such as journals or books. More information on ACCS is
available at our website:
https://www.unsw.adfa.edu.au/australian-centre-for-cyber-security/
ii
Table of Contents
1. Introduction ........................................................................................................................ 1
2. Literature Review............................................................................................................... 2
3. Methodology ...................................................................................................................... 4
3.1. Cyberspace Education Framework ............................................................................ 5
4. Research Results ................................................................................................................ 9
4.1 Student Expectations Survey ..................................................................................... 9
4.2 Industry Viewpoints ................................................................................................. 10
4.3 Educational Outcome to Work Role Comparison ................................................... 11
4.4 Comparative View of Generalist versus Mission-specific Master’s Programs ....... 12
4.5 Framework Implications .......................................................................................... 14
4.6 Further Investigation with Informants ..................................................................... 14
5. Discussion ....................................................................................................................... 15
5.1 Key Research Outcomes .......................................................................................... 16
5.2 Applying this Research ............................................................................................ 17
5.3 Areas for Future Research ....................................................................................... 18
6. Conclusion ....................................................................................................................... 19
References ................................................................................................................................ 20
1
1. Introduction
The cyber security skills and education crisis is a key issue affecting countries globally.
Governments are currently looking more and more to universities to help solve the problem.
This paper looks at one key slice of the problem: are current Master of Cyber Security
programs in Australia preparing students for the country’s workforce?
Cyber security education has become a new field of study across the world as a result of the
rapid transformation of platforms, vulnerabilities and threats in the past decade. There is
currently a lag effect between education research and the emerging needs in most countries. As
governments release cyber security strategies, education is always mentioned, though, as
cyberspace education is still in its infancy, there has been a certain lack of understanding of the
field as a public policy problem and even as a pedagogic challenge (Austin, 2017). In the case
of Australia, there is no single university scholar undertaking full time research into pedagogies
and/or public policy for cyber security education. As Slay (2016) observed, there is a lack of
people, there is no clear understanding of what cyber security means, what a cyber security
professional is, or how they should be trained.
The Australian Cyber Security Growth Network’s Cyber Security Sector Competitiveness Plan
(SCP) (2017, p. 2), states:
Australia has difficulty attracting and retaining cyber security talents. While the
skills shortage is affecting the cyber security industry globally, there are signs
that the lack of cyber talent in Australia is among the worst in the world.
Australian firms struggle to find job-ready cyber security workers despite
offering high wage premiums.
The government’s 2016 Cyber Security Strategy and the 2017 First Annual Update, report that
‘the scale and reach of malicious cyber activity affecting Australian public and private sector
organisations and individuals is unprecedented’ (p. 2). These sentiments are supported by
Austin (2016) and Austin and Slay (2016) which point out that while technical solutions are
important, it will be institutional, cultural and social changes that will be most effective in
mitigating cyber insecurity. New ways of thinking, new understanding and new strategies to
the emerging digital age realities will be vital (Austin 2017, p. 1). As this field is complex and
multidisciplinary, educational responses must focus not just on technical solutions but also
incorporate the myriad of other topics such as national defence, economics, sociology, political
science, diplomacy, history, and psychology (Kessler and Ramsay, 2013, p. 36).
Against this background, Australia’s cyberspace education sector is currently in its infancy.
The Council of Australian Governments (COAG) in its December 2016 meeting identified
cyber security education as an important area of future cooperation. As the 2016 Australian
strategy and 2017 update concludes: ‘it is critical that we build our nation’s stock of cyber
security skills, which are becoming increasingly essential for life and work in our connected
world’ (p. 4). There is wide consensus that a considered multidisciplinary pedagogical focus
appropriate to the more complex cyber threat scenarios affecting national public policy is
required.
2
This paper argues for yet another step beyond recognition of the multi-disciplinary challenge.
It argues for an approach that is not only multi-disciplinary but one that more explicitly
recognises cyber security as comprising fundamentally distinctive specialisations at the outset,
where different mission-specific sets (countering crime versus fighting cyber war, or child
protection versus enterprise protection) define the learning objectives, the content, the level of
expertise, and the value of various programs to future employers.
This sharpening of focus could then usefully be combined with mission-specific workplace
integrated learning programs similar to those in medical education. But these workplace
programs would not be for “general practice”. Currently, at the tertiary level at least, cyber
security education prepares its graduates for some sort of general-practice, whereby courses
cover the large base which is captured in the term cyber security. This may include network
security, forensic studies, information assurance, programming and data analytics. Educational
responses for cyber security may need to incorporate much earlier approaches that lie well
outside the software and hardware aspects. In cyber security education policy and research on
pedagogy, no convincing way has yet been found to incorporate the myriad of other topics
(Cooper et al., 2010).
Cyber security should be viewed more like engineering with distinct differentiating sub-fields
at a very early stage, such as electrical, mechanical, civil, aeronautical and bio-medical. A
simple example that illustrates the intent of this paper is the proposition that the education
needs for a person developing government policy on international cyber relations is very
different to the education needs of a person working in a financial institution protecting their
networks from cyber fraud. To extend the argument, neither of those professions requires any
significant knowledge of cyber forensics on a scale that police authorities would need to be
able to gain convictions for most forms of cybercrime.
2. Literature Review
There are few clear national visions and little consensus on how to solve the shortfalls in cyber
security education and the subsequent skills crisis. In Australia, the Sector Competitiveness
Plan supports this further by stating that there are signs the formal education system fails to
produce enough job-ready cyber security graduates (Australian Cyber Security Growth
Network, 2017, p. 35). The global cybersecurity skills gap has important implications and this
has been widely acknowledged, but there is still the critical need to address the talent shortage
by increasing the number of individuals who have cybersecurity skills (Vogel, 2016). This is
compounded by a large amount of research focusing on the technologies and techniques of
cyber security at the enterprise level, which contrasts with a distinct lack of research into cyber
security education and pedagogical methods. There is some research into the field of system
models for cyber security education in general terms, but it still does not quite go far enough.
McGettrick (2013, p. 23) reiterates this point stating that cyber security is still an immature
field lacking a cohesive intellectual body of activity and clear underlying science.
To ensure that cyber security education continues to mature Kessler and Ramsay (2013, p. 36),
propose that academia needs to apply new ways of thinking, understanding, and strategies to
a nation’s response to this new digital information age. This proposition aligns with the current
emphasis on multidisciplinary approaches to cyber security education. Cyber security is about
process as much as it is about technology, the response to cyber-related security challenges
3
today is not solely about technical solutions, but requires a multi-faceted and multidisciplinary
focus (Kessler and Ramsay, 2013, p. 36).
There are currently few agreed metrics or baselines by which stakeholders can evaluate
progress towards meeting the cyber security educational requirements. The United States has
an overarching higher education mechanism with the Centres of Excellence and the models
linking workforce needs to higher education outcomes (Conklin et al., 2014 and Kessler and
Ramsay, 2013). There is also the newly announced Australian Government Academic Centres
for Cyber Security Excellence (ACCSE), which aims to ‘increase the number of highly skilled
post-graduates with the job ready skills needed to work in Australian business and government
to tackle emerging cyber security challenges’. If universities do not adapt and modify their
current methodology and course structure they will fall short, though it must be noted that the
Australian government has not published any comprehensive baseline studies of the current
outputs.
The key messages coming out of current research reiterates the importance of the purpose for
the education (outlined below in the framework) and the importance of frameworks (models)
for enhancing cyber security education and awareness (Amankwa et al., 2014, p. 250 and 2015,
p. 76). Typically, these works offer a critical view of current curricula and the input/output
method of education for cyber security which is universally seen as inadequate (Austin, 2017,
p. 1; Conklin et al., 2014, p. 2008). There is a major gap in the alignment between the education
of a student and the hands-on skills required to make them job ready. The central theme of this
issue is training versus education. Training tends to be oriented towards the how and is focused
on the current technology and methods. Education tends to focus on the why, the theory and
mechanisms behind the professional activity. Linking theory and practice is vital for cohorts
of Master of Cyber Security courses to be effective in the workforce. Cyber security is
constantly evolving, making it challenging to acquire and maintain the skills necessary to act
as a responsible cyber security professional (Martin, 2015).
This is not a new issue, as Hentea and Dhillon (2006, p. 226), observed a decade ago: ‘the
adoption of courses that link theory and practice is vital for some courses offered for
information security education, such that, the individual acquires the ability to put theories into
practice’. There is a big discrepancy between the levels of skills expected by employers and
those the graduates have after completing their studies. In order to address these problems, the
academic community probably needs to restructure the curricula. Lehto (2016, p. 28) gives a
grim view whereby universities only provide cyber security education from the university
perspective. This is true for many universities, but there are some who are moving towards
industry partnerships to enhance the effectiveness of their programs as a differential for
potential students. This type of cooperation and collaboration is vital for the effectiveness of
cyber security programs.
The key points that are necessary for cyber security courses to be relevant in the workplace are:
depth over breadth (purpose driven) (Manson and Pike, 2014),
work integrated placements (Koppi et al, 2008),
practical skillset development - real world scenarios and simulations (kopi et al,
2010), and
the avoidance of an “all in one” approach (general-practice verses mission-specific)
(Conklin et al, 2014, p. 2008).
4
The development of a single foundational curriculum that can meet all major requirements is
not possible for a field as diverse as cyber security and thinking all graduates from all programs
are interchangeable can be as bad in cyber security as any other specialised profession (Conklin
et al, 2014). A key requirement for courses to remain relevant is to continually update the
teaching and learning methods and ensure the content is in line with industries new direction.
Koppi et al (2010), put forward that the relationship between industry and universities needs to
be improved particularly with respect to the development of industry-integrated curricula. This
requires an understanding of not only the purpose of the course for the university, but also the
purpose and relevance to the student undertaking the course (Armstrong et al, 2013). High-
quality cyber security programs need to differentiate between the multidisciplinary aspects of
courses and the unique requirements for each course. A strong technical based curriculum
requires hands-on activities including the use of cyber ranges, simulations and war-games.
This approach with purpose designed workplace integrated learning strengthens the knowledge
and skillsets of the students and improves employability. The Sector Competitiveness Plan
supports this as globally with more than three-quarters (77 per cent) of cyber security
professionals surveyed, think the industry's current training and education programs are not
fully preparing professionals for the workplace reality. Leading to calls for academic programs
to incorporate more practical learning. This hybrid technical cyber security education program
should still be purpose-driven and mission-specific.
It should be noted that it is common practice in other academic programs to have a strong focus
on practical skills acquired during work placements. A report into work experience in Australia
stated that 71 percent of respondents were satisfied or very satisfied with the work experience
and that they had developed relevant skills and knowledge. Nearly 30 percent of respondents
were offered an employment opportunity after completing their placement (Australian
Government Department of Employment, 2017). Koppi et al (2010) states that while
fundamental theories were seen as providing a firm foundation for a dynamic and changing
discipline, there is an unfulfilled need for their practical relevance and application to the real
world. There will always be a challenge in academia to bridge the gap between theory and the
real needs of industry. These performance measurements through real-world scenarios are
critical in becoming effective in the workplace. This is prominent in the field of medicine.
There are large components of workplace integrated learning in the medical field. This is also
dependent on knowledge, skill levels and specialist training/ workplace development. Time
spent on the task for which the person is being prepared is critical for success. For cyber
security education especially in the technical areas, there should be a requirement for this type
of complex practical tasking that requires a high degree of mastery to gain success (Manson
and Pike, 2014).
3. Methodology
The paper begins with an original characterisation of education needs in cyber security
according to five broad headings, each with distinct sub-sets. The paper then demonstrates the
potential value of that original framework by analysing just one slice through more than several
hundred possible combinations. That slice is based on tertiary education (Master’s level) as the
departure point, suggesting that similar analyses could be undertaken for at least several other
levels or types of education (discussed below). The investigation has been based primarily on
a survey of Master’s students or recent graduates at the University of New South Wales
Canberra. The data was then analysed in the context of other information about expectations
of employers and universities in order to begin to identify gaps in the expectations of
5
stakeholders. To establish a clear opinion of current students, the survey explored their
expectations regarding their different Master’s programs. Comparing the work roles of these
students to individual courses taught in the Master’s programs also enabled gaps to be
identified. Further to this, the Cyber Security Education Framework enables a clear and
consistent comparison for the current offerings. Both international and national employer
survey results were compared with the students’ opinions. Discussions with a recruitment firm
were undertaken to ensure the results were consistent with current views in industry and with
recommendations of the paper. Discussions with key personnel in several universities were
also undertaken to explore the results and individual expectations of their courses.
3.1. Cyberspace Education Framework
This framework focuses on the broad high-level education objectives, which can then be
narrowed down to show key outcomes for mission-specific activities. This approach reminds
us that there can be no single universal approach to cyber security education. It is multi-faceted,
multi-dimensional and purpose specific. At the same time, the framework allows us to see
relationships between different education activities and outcomes. When it comes to baselines
and benchmarks for cyber security education, it is a basic contention of this model, that these
can only be established by reference to particular slices through this framework. The purpose
of the framework reiterates the requirement for nations to pursue cyber education maturity
(Austin, 2017). Within the framework five elements make up the matrix which leads to a very
large number of quite distinct cyberspace education outcomes.
Figure 1. The Cyberspace Education Framework
Education Type
There are nine key categories of education type. This captures the different formal and informal
types of education someone may pursue. This model identifies that an individual may
undertake one or more different levels of education. The education undertaken is not defined
by a sequence, but rather it is assumed that the education patterns undertaken differ from
individual to individual and that each type can be undertaken more than once (that is, revisited).
The categories of education are:
On the job training
6
Self-Taught
Primary School
Secondary School
Vocational
Higher Education
Industry Certifications
Adult Education
University of the Third Age.
Level of Expertise
The model proposes five key levels of expertise, but this is only a departure point. These range
from Basic through to an Advanced Expert. The majority of formal courses available are within
the basic through to expert levels. Each level of expertise needs to be viewed against each
element of the framework as there are many different streams within cyberspace. Examples
against each level are shown below in Table 1, while also reflecting the fundamental point that
within even one level of cyberspace education there are multidisciplinary fields and purposes.
Having technical expertise can be considered as important as having international relations
expertise. While the two are very different fields of education and specialisation, both need to
be ranked against the five levels of expertise.
Basic A student within a primary school who completes a course regarding eSafety to a
high standard; a CEO who knows cyber security is essential for profitability but does
nothing about it; A criminal using stolen credit card details.
Intermediate A Vocational Education and Training (VET) student who successfully completes a
Certificate in Information Security; a lawyer who takes an effort to segregate
sensitive data sets relating to an individual high value client; A criminal using
phishing scams to capture people’s logon details.
Advanced A PHD graduate specialising in system defence and cyber resilience for an
organisation, whose research includes practical studies and scenario-related
exercises; a graduate of several professional certifications (such as CISM, CISSP1)
who also has significant experience in threat mitigation and system resilience; an
individual who develops ransomware and initiates major attacks for financial gain.
Expert A cyber security professional has completed the Certified Cyber Security Expert
(CSX) course offered by ISACA; an individual who through accessing third party
vendors gains access to and steals intellectual property from a major multinational
organisation for a nation state.
Advanced Expert Certification as a Cyber Guardian offered by System Administration, Networking,
and Security Institute (SANS). The institute has issued 86,000 certifications to
computer professionals, of which only 35 are Guardians; Members of the teams who
invented and evaluated the Stuxnet worm.
Table 1: Examples of Levels of Expertise
1 Certified Information Security Manager (CISM) is an industry certification offered by ISACA and Certified
Information Systems Security Professional (CISSP) is an industry certification offered (ISC)².
7
Field of Education
The list below shows the broad fields of education in regard to cyberspace. It is important to
note that only one field focuses on technical and this demonstrates the multidisciplinary nature
of cyber security. Utilising this type of multidisciplinary model into the framework enables a
broader view of cyberspace. This is a key aspect of the framework and the baselining process.
Five key fields of education:
Political
Social
Legal
Technical
People
Purpose
To develop more effective and more focussed education policies, there is a requirement to
address what specifically we need these skills for. Each country requires a cyber-educated
workforce. This not just for national security agencies and police agencies, but all industries
ensuring continued economic growth. It is therefore important within the framework to identify
the reason or purpose (the mission set) for undertaking the cyberspace education.
The broad types of purpose (mission sets) are many, and this framework proposes 13 distinct
mission sets:
Espionage/counter espionage
Counter-terrorism
Countering crime (police)
Cyber-enabled war
Protection of the financial services sector
Protection of other critical infrastructure
Protection of children
Intellectual property protection
Privacy protection
Legislation development and legal practice
SME and Enterprise cyber security (resilience)
Non-Government Organisations and political party cyber security
Home user cyber security.
Application
We can also identify quite different aspects of cyber security education depending on the
process the student will adopt to apply the knowledge/skills or the institutional circumstances.
The broad types of application are listed below:
Individual action
Team member
Team leader
8
Mid-level management
Executive management
National policy leadership (government or private sector)
Community policy leadership.
The Cyberspace Education Framework enables comparisons between cyberspace education
activities and what the outcome of each activity is. This framework helps establish baselines
for future comparison. The results of the comparison show the effectiveness of the framework
for cyberspace education policy development.
Matrix
These five elements, each with five or more distinct categories, allow us to postulate a very
large number of education types and outcomes. While we may not expect all possible elements
to be meaningful (e.g. primary school/advanced/technical/cyber war/team leader), the matrix
allows us to understand the potential of much sharper focus. In particular, primary school
children need to know child protection, before they need to know technical issues such as
coding. The matrix also allows us to situate existing programs and align them with
specialisations, mission sets, roles and outcomes. This is a very different approach to that of
core competencies which has been a focus of much public policy discussion and which is
important work. It is however far from being the whole story, and may not even be the main
story. Table 2 brings together the sub-elements of each of the five main elements. The shaded
sub-elements represent the “slice” of the education problem this paper is looking at.
TYPE EXPERTISE FIELD PURPOSE APPLICATION
On the job
training;
Self-Taught;
Primary
School;
Secondary
School;
Vocational;
Higher
Education;
Industry
Certifications;
Adult
Education;
University of
the Third
Age.
Basic;
Intermediate;
Advanced;
Expert;
Advanced expert.
Political;
Social;
Legal;
Technical;
People;
Generalist;
Espionage/counter
espionage;
Counter-terrorism;
Countering crime (police);
Cyber-enabled war;
Protection of the financial
services sector;
Protection of other critical
infrastructure;
Protection of children;
Intellectual property
protection;
Privacy protection;
Legislation development
and legal practice;
SME and Enterprise cyber
security (resilience);
Non-Government
Organisations and political
party cyber security;
Home user cyber security.
Individual action;
Team member;
Team leader;
Mid-level
management;
Executive
management;
National policy
leadership (government
or private sector);
Community policy
leadership.
Table 2. Matrix view of the Cyberspace Education Framework
It is against the consideration raised by elaborating the matrix, that the author believes we can
better evaluate any existing programs. This paper chooses just one slice of the matrix Higher
9
education) and one subset of it (Master’s degrees) to understand better the state of cyber
security education in Australia. This slice is marked in grey (yellow) shading in the above table.
It is a basic corollary of the matrix that all slices need to be evaluated, in broad terms at least,
against the criteria listed.
4. Research Results
To appropriately answer the question “are Master of Cyber Security programs preparing
students for the workforce”, this project explored the viewpoints of students, employers and
universities, comparing key data points and information to ensure a solid comparative base for
the research. The 2016 NIST Framework2 of work roles in cyber security linking the
knowledge, skills and abilities (KSA) to educational outputs also enables a further comparison
between the current master’s programs and the top five skills crisis work role requirements.
Further to this, the Cyberspace Education Framework was used to compare current generalist
cyber security degrees to the more mission-specific Master of Science in Computer Forensics
and Cybercrime Investigation course. To demonstrate how a mission specific program can
more adequately address a specific industry requirement.
This holistic analysis provides a deeper view into the skills crisis and how universities can work
towards ensuring their students are ready for the workplace.
4.1 Student Expectations Survey
The project surveyed current students and alumni of master’s programs at University of New
South Wales (UNSW) Canberra. The campus has five master of cyber security offerings,
mostly through distance learning, with some individual courses offered in one-week intensive
mode on campus. The survey obtained responses from 22 percent of the 325 student cohort.
Each course offered through the UNSW Canberra is represented in the survey but the majority
of the cohort were undertaking Master of Cyber Security Operations (35 percent), Master of
Cyber Security, Strategy and Diplomacy (28 percent) and Master of Cyber Security (24
percent). This demonstrates the multidisciplinary nature of the cyber security programs with
students pursuing policy, international relations and strategy components as well as the
traditional technical streams. 87 percent of the cohort were current students, with 93 percent of
respondents studying in Australia.
There was a range of current occupations being undertaken by the cohort including a third from
the Defence Force, 38 percent from private industry and 24 percent from state and federal
public service. This reinforces the multi-faceted nature of cyber security and how broadly the
requirements for a skilled workforce truly are. 56 percent of all participants were undertaking
the course to gain a new role in a new workplace. 24 percent were undertaking the course to
better equip them for their current position and 15 percent were undertaking the course as they
were interested in the topic.
Interestingly 60 percent believe they will be able to utilise the knowledge and skillsets acquired
in the course at their current workplace or appear to currently work in a cyber security role. A
large portion (40 percent) do not work in the cyber security industry. 92.5 percent believe that
2 The U.S. Government National Institute of Standards and Technology (NIST) developed the Framework in
response to Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, which
was issued in 2013. The Framework is voluntary guidance, based on existing standards, guidelines, and
practices.
10
they would be able to utilise the knowledge and skillsets acquired in the course at a future
workplace. 65 percent agreed that a work placement would be useful. 88 percent said that the
course has given them further knowledge and skillsets they considered useful in either their
existing workplace or future career goals. Of the 11.5 percent who said no, a large portion
suggested that no practical skills or real world applications were taught. Of the 37 percent of
students who had undertaken courses that provided cyber range simulations i.e. cyber
operations including threat assessment, detection and prevention, 87.5 percent agreed that the
simulations had strengthened their knowledge and skillsets for their future career ambitions.
83 percent of respondents rated the course satisfactory (slightly satisfied through to extremely
satisfied) and was effective in meeting their expectations.
Interestingly 34 percent of respondents said they would undertake post graduate research, such
as a Ph D and a further 45 percent would undertake an industry based certification. Three
quarters of respondents had not undertaken an industry certification. Of the respondents who
had undertaken an industry certification, 53 percent agree that they were effective in preparing
them for their future ambitions and a further 42 percent neither agreed nor disagreed. The high
rate of neither agree nor disagree could indicate respondents may have undertaken the course
to fulfil a requirement for their resume.
These results show that a large portion of the cohort work in areas associated with cyber
security, but a large number would be attempting to enter the cyber security workforce. The
cohort is seeking new roles and has undertaken their course to improve their knowledge and
skillsets. The high proportion of the cohort both supported the requirement for workplace
integrated learning and the use of specific real world practical skills utilising scenarios and
hands on labs.
4.2 Industry Viewpoints
In contrast to the student cohort there have been many surveys (national and international)
conducted at the enterprise level regarding the skills crisis and skillsets required to fill cyber
security positions. Recent studies by ISACA and the Australian Information Security
Association (ASIA) reveal some interesting trends. The ISACA report stated that practical
hands-on experience is the most important cyber security candidate qualification to 55 percent
of enterprises. This is in stark contrast to formal education and personal endorsements ranked
equally as least important (ISACA, 2017). This shows that current education and pedagogical
methods aren’t hitting the mark. There is a high degree of focus on industry certifications with
close to 70 percent of hiring enterprises requiring an industry security certification for
positions. This is in line with the findings of the AISA report, whereby many respondents did
not think that current academic qualifications adequately prepared cyber security graduates for
the workplace (AISA, 2017). The report states that experience is more important to recruiters
than knowledge, certifications or education. It goes further to state that respondents were
critical of the academic qualifications available for cyber security workers. Interestingly the
report says that it may be because recruiters and employers do not understand the different
academic qualifications that are available and the knowledge and capabilities of the graduates
from those programs. As 40 percent of the student cohort surveyed aren’t currently in a cyber
security role, they may have difficulty finding an appropriate position after their course.
This further demonstrates the requirement for courses to be aligned to workforce requirements.
Universities should actively work with industry to ensure their programs are not only known
to employers and recruiters, but relevant. An interesting trait the survey reported, was the
11
requirement for five years of experience with 90 percent of advertised cyber security positions
(including junior positions such as security analysts) requiring this. The survey reported that
architects, technical security consultants, forensic examiners, incident handlers or investigators
and security analysts or advisors where the most in demand.
4.3 Educational Outcome to Work Role Comparison
The survey results indicate different expectations between students and employers and a low
level of industry confidence in current programs. It is beneficial to compare how aligned
current master’s program offerings are to the workplace KSA requirements, of the above most
in demand roles to establish if there are major gaps or alignment. Using the NIST Framework
for knowledge, skills and abilities related to work roles and comparing it to the units offered in
the master’s programs establishes a clear picture of what industry has stipulated. This was done
by comparing the course information provided on their websites to the KSA’s outlined in the
NIST to create the matrix below (Table 3).
Table 3. Generalist Course alignment to Work Role KSA
*It should be noted that Deakin University offers a unit specifically based on a Practical Project and Edith Cowen
University offers a Work Integrated Learning unit which could increase their alignment with the work roles. These
results offer a viewpoint into how the courses align and is offered for the purposes of discussion rather than as a
definitive assessment. Future research could be undertaken to compare exact learning outcomes and criteria
offered in the courses.
The total alignment of generalist master’s programs to work role KSA’s indicate an overall
alignment of 51 percent. To accurately address the skills crisis, universities would need to
amend their courses to better cover the required KSA’s. Currently all universities courses align
the best with the Cyber Defence Incident Investigator work role. This could be a starting point
for enabling greater consistency with work roles and actively working with industry further
alignment. The Technical Security Consultant (Information Systems Security Operations) role
was the most poorly aligned. This course could also benefit from industries input into core
requirements and active internships/ work integrated learning opportunities. Universities could
partner with consultancy organisations to provide options like an “earn and learn”, whereby
students enter from a low level at the consultancy and as they develop and complete the course
rise up the ranks. This would be useful for students who have no experience or a current role
in cyber security. From these results it would be fair to say that the courses don’t currently
align with the top five skills crisis work roles. This reinforces and supports the industry surveys
results.
Systems
Security
Analyst
Systems
Architect
Cyber
Defence
Incident
investigator
Forensic
Analyst
Technical
Security
Consultant
(Systems
Security
Operations)
Overall
Alignment
with Work
Role KSA
DEAKIN* 46%
32% 50% 47% 37% 97/225
(43%)
ECU* 43%
47% 67% 53% 37% 113/225
(50%)
UNSW
Canberra
57% 58% 77% 57% 43% 131/225
(58%)
Total
79/162
(49%)
78/171
(46%)
58/90
(64%)
91/180
(51%)
35/90
(39%)
341/675
(51%)
12
This demonstrates the requirement for developing the type of capability required for both
students and employers requires new approaches focused on the growing and changing
demands of the cyber security field.
4.4 Comparative view of generalist versus mission specific master’s programs
To put this into prospective this paper compares and contrasts three separate Master of Cyber
Security courses (general practice) against a more mission-specific Master of Science -
Forensic Computing and Cybercrime Investigation from University College Dublin, utilising
the Cyberspace Education Framework. These courses provide a level of expertise within
separate subsets of the cyber security field. The example looks at the generic cyber security
(technical) degree compared to a course offered with a mission-specific law enforcement focus
specifically for law enforcement officers only. The example highlights the value of the
mission-specific requirement for a degree when compared to the general practice Master’s
degree. This focus enables a view of who must carry the responsibility for the specific purpose.
In this example, it would be law enforcement agencies and governments appropriate policy
areas for law enforcement, driving the course and providing relevant expertise and material.
This could be at the state, national or international level. This mission-specific curriculum
enables institutions to partner with relevant stakeholders and develop courses that fit a purpose
or public policy requirement. Since we look to the private sector to provide relevant
technologies and expertise to new cyber security education programs, we do need to note that
private sector underpinnings of cyber-crime prevention are very different from those of other
missions, such as cyber offensive and defensive operations for national security.
Table 4 below demonstrates how the mission specific education method compares to traditional
curriculum.
Classic curriculum approach to Cyber Security
(Technical) degrees
Master of Science - Forensic
Computing and Cybercrime
Investigation
Education
Type Tertiary (Post graduate)
Tertiary
(Post graduate)
Level of
Expertise Intermediate This depends largely on the specific institution and could
only be considered at a higher level if they offer a hybrid
model of learning including major work integrated
learning opportunities and practical simulations utilising
cyber-ranges.
Expert
A Law Enforcement specific
stream. This enables an advanced
course specifically on the
Knowledge Skills and Abilities
(KSA) required including
collaboration with key law
enforcement agencies.
Field of
Education
Focus – Technical (General Practice) broadly focusing
on Computer Forensics, Network Security, Information
Security, Programming, Wireless Security.
Focus – Technical (Computer
and Cybercrime investigations)
Purpose None of the key purposes on that axis of the matrix are
specifically addressed by most master’s level cyber
security programs. Most are designed to meet the demand
for technical experts who can implement (not lead) low to
mid-level technical cyber security functions “general
practice” in government, industry or law enforcement.
Objective
Each University states different objectives in a broad
statement:
Designed to meet only one
purpose: Education and training
for law enforcement officers in
cyber-crime.
Objective
To provide high quality forensic
computing and cybercrime
investigation training and formal
education. It is also designed to
13
Expert cyber security professionals who can protect
organisations from these threats are in high demand and
this course can prepare you for a successful career
anywhere in the world (Deakin University).
It is designed for postgraduate scholars and professional
managers with appropriate undergraduate qualifications in
IT, computer science, electrical computer or systems
engineering or a related discipline and/or extensive
relevant professional experience who wish to gain a more
detailed understanding of the technical skills and
expertise relevant to the technical implementation and
leadership of the cyber security function (UNSW).
This coursework degree is designed to meet the demand
for cyber security professionals within government, law
enforcement and industry. The course provides a pathway
for existing information technology professionals seeking
to commence or further progress their careers in the cyber
security domain. It is also relevant to those seeking to
enter the IT profession who have no previous experience
in the cyber discipline (ECU).
Units of Study
- Computer Forensics
- Network Security
- Information Security
- Programming
- Project Management
- Wireless Security
- Data Analytics
deliver cutting-edge, up-to-date
cybercrime investigation
techniques,
strategies and tactics that allow
students to understand and tackle
emerging trends in cybercrime.
To teach existing law
enforcement officials to be able
to operate effectively and think
critically in analysing and
preforming cybercrime
investigation through practical
studies and scenario-related
exercises to detect and secure
prosecutions.
Units of Study
- Computer Forensics
- Network Investigations
- Malware Investigations
- Mobile Devices
Investigation
- Linux for Investigators
- Live Data Forensics
- Data and Database
Forensics
- Online Fraud
Investigations
- Legislation
- Financial Fraud
Investigation
- Case Study
- Research Project
Application General Practitioner
Become a team member in a cyber-security team and
enhance career with new workplace options operating
within a range of often disconnected technical operations
areas.
Law Enforcement Officer
Countering cyber-crime as an
advanced technical specialist
within a digital crimes law
enforcement unit.
Table 4. Comparison of generalist to mission specific master’s course
(ECU, UNSW, DEAKIN, UCD, 2017)
It is interesting to note that all three Master of Cyber Security programs state law enforcement
within the purpose. There are clear differences between the effectiveness and the
knowledge/skillsets acquired from undertaking the general practice Master of Cyber Security
compared to the Master of Science - Forensic Computing and Cybercrime Investigation. In
performing the same analysis between the work role KSA’s for a Forensic Analyst to the
learning outcomes of the UCD course, there was a 97 percent match between the educational
outcomes and the work role KSA’s. This is a stark difference to the generalist courses. This
clearly demonstrates the effectiveness and requirement for mission-specific cyber security
education.
14
4.5 Framework Implications
The framework enables a high level comprehensive view of cyberspace education. This
information is then collated to enable benchmarks and baselines to be developed into metrics.
From this information, the purpose for the education can be identified. The purpose can also
be identified as “the why”. Why is the education being undertaken or why is the education
program being delivered? This is a very important aspect of the framework and goes towards
successful educational policy and program development and implementation. This approach
leads to purpose-driven or mission-specific education. For example, is a program being
delivered to teach students about national security, create base-level enterprise security officers
or just because cyber security seems popular at the moment.
The education outcomes need to be purpose driven, not driven by institutions that may not have
any tangible links to relevant workplaces. Institutions aren’t the only piece in the puzzle, the
same way governments/industry are not and neither can solve all the cyber security educational
requirements. It is broad and requires multiple stakeholders working together. A purpose-
driven focus enables stakeholders to look at the why and from that develop appropriate
solutions i.e. new curricula for Master of Cyber Security. Updating and realigning the general
practice approach with a more mission-specific purpose-driven method integrating workplace
integrated learning and engaging with industry to optimise the master’s programs.
Having a course specifically for students who are already in law enforcement, enables students
to apply their learning straight away. They are not required to undertake basic investigative or
evidence gathering courses as that knowledge has already been acquired. This enables the
course to be more in-depth and focused on more expert level outcomes.
Many governments try to initiate a single curriculum to solve the cyber security and/or skills
crisis issue. This approach probably will fall short, as discussed above, the multidisciplinary
nature of cyber security would require multiple different streams. While this is a start for
governments, more is required and a focus on the purpose for the cyber security education is
critical to identify different public policy requirements, career paths and education levels
required.
4.6 Further Investigation with Informants
Two Universities (University of Melbourne and University College Dublin) and Hays
Recruitment were invited to provide their views on the research and more broadly on the cyber
security industry. Overall, their views reinforce the distinct gap between educators and industry
and the requirements for both. University of Melbourne stated that ‘specialist cyber security
courses undoubtedly have a role to play in the overall education framework. Whilst a gap in
specialist skills is an issue, it is one that can be addressed both quickly and effectively through
dedicated training, whether that be through mission-specific master’s programmes, like the one
offered by UCD, or commercial training courses. Hays Recruitment on the other hand noted
that ‘experience is the biggest requirement for employers and both industry certifications and
academic qualifications do not rank as highly and are not considered nearly as relevant’.
The University of Melbourne stated that ‘specialist cyber security courses undoubtedly have a
role to play in the overall education framework’. This aligns with comments from Hays
Recruitment whereby ‘technical cyber security roles are specialised and require specific
skillsets for each individual work roles. Generalist programs while providing an overview into
15
multiple areas don’t address the requirements for specialised work roles’. Hays Recruitment
went further saying that they ‘actively work with industry in developing recruitment
requirements for cyber security roles as the field is still immature’.
All informants agreed that work placements can be extremely valuable, in both the student’s
education and their subsequent employability. As experience is seen by industry as the most
valuable recruitment trait, there is a requirement for universities to consider this further. Hays
Recruitment supported the viewpoint of students/employees starting in low level positions and
moving into the relevant roles as their experience grew. UCD ‘works very hard officially
through partnerships and through indirect industry contacts to assist students in finding work,
either during (internships) or after finishing their courses’. This type of interaction assists in
establishing the value of these programs to potential employers or recruitment agencies.
It is interesting to note that the University of Melbourne stipulate ‘that the evolution of cyber
security threats out paces that of the corresponding training. It is important that we instil in our
graduates the skills necessary to be able to independently undertake the constant education
needed to perform well in the field’. All informants agreed that practical simulations and cyber
ranges play an important part in developing the necessary leadership skills to evaluate and
respond to an emerging threat. These skillsets are required to ensure there is a level of work
based experience. UCD stay relevant through working closely with industry and subject matter
experts. This provides courses that are specific, in depth and work role relevant ensuring the
course materials are up to date. This also ensures that students who have participated in the
course are recognised by employers and understand the KSA’s they would have acquired in
undertaking the course.
There are currently high expectations on employees to have five plus years’ experience and
have KSA’s in multiple areas. There could be a base for utilising lower skilled employees and
training them in certain areas to fill a role due to the cyber security skills crisis. The requirement
for practical skills and work integrated learning in courses and further industry-university
collaboration is required to ensure programs are aligned with work role requirements and
relevant. It benefits neither industry or universities if students undertaking these types of
courses cannot find employment.
Other aspects affecting the employers is that not all roles require specific cyber security
qualifications. There are courses that prepare technical students to undertake required work
roles and have appropriate KSA’s. An example of this is software engineering, this is not
specifically cyber security based but builds on large amounts of cyber security KSA’s. This is
an area that requires further investigation into the benefit of establishing them as either specific
cyber security named courses or re-enforcing the multi-faceted and multidisciplinary nature of
cyber security. The final point of interest was that Hays Recruitment stated that they did not
have major difficulty in filling the cyber security roles for employers in Canberra. This goes
against the current trend of a skills crisis, if the roles are actively being filled. Though it should
be noted that as the nation’s capital, Canberra has large amounts of workers from interstate and
internationally come to specifically work for the Australian Public Service or industries that
contract into government.
5. Discussion
Universities are places of higher learning that can both lag behind industry or be at the forefront
of advancement and innovation, and many scholars simply choose to have nothing to do with
16
industry since they are pursuing less applied subjects. Universities must continue the vision of
excellence in research and higher education, while pursuing beneficial partnerships with
industry. Moreover, as this field of cyber security is still in its infancy, there could be case that
many decision-makers in Australian industry currently do not know what they need in terms
of employee training and education in this domain.
The initial survey of the student cohort, the results from both the comparison of work role
KSA’s and the mission specific course examples demonstrate there is a gap in student
expectations in undertaking the Master of Cyber Security and the future possibilities for
employment. While students who already have a role in a cyber security position found they
should be able to utilise their acquired KSA’s, the students who are not, may find it difficult to
find future employment. These assumptions only look at the overall picture and not the other
skillsets the students have relevant to potential employment. The comparison in work role
KSA’s and outputs of the generalist master’s programs reinforce the message that industry
reported in the ISACA and AISA surveys, whereby academic qualifications weren’t regarded
highly. Moreover, it should be noted that Master's degrees can be vocational, but they can also
be preparatory for further studies and research, such as a PhD, and can focus on the technical
aspect of cyber security, as much as on applied activities.
It would be beneficial for universities, as the research asserts, to partner further with industry
to establish career pathways for students, practical and work integrated learning opportunities
and to ensure the programs are meeting key skills crisis work roles. Universities could
investigate industry partnerships in ensuring career paths for students while studying and after
graduation.
This last point is especially important for the universities who were awarded the ACSSE, as
one of the key goals is to increase the number of highly skilled post-graduates with the job
ready skills needed to work in Australian business and government to tackle emerging cyber
security challenges.
5.1 Key Research Outcomes
The key research outcomes should be looked at by universities and industry to promote
effective alignment between the educational outcomes and industry requirements.
The Cyberspace Education Framework provides a valuable tool for analysis of
education and training programs.
The industry survey results demonstrate a gap between university offerings and
industry’s requirements from them as education institutions. Universities have the
potential to expand and amend their programs to meet industry needs.
A move away from the “all in one” generalists curricula and instead offering distinct
multi-faceted and multidisciplinary course streams would enable courses to be
individually tailored to meet specific mission-specific requirements.
Aligning program streams to industry vacancies could add value to Master of Cyber
Security programs.
Practical skillset application and development is vital for technical based programs.
Workplace integrated learning is essential (if implemented correctly) and can provide
valuable experience to students who are not in the industry or want to actively expand
new skillsets (an example is outlined in section 5.2).
17
Universities working with industry to provide internships/work placements could be a
valuable promotion tool for universities.
5.2 Applying this Research3
Adapting current cyber security education towards a necessary workplace-integrated learning
program involves applying the methods and findings outlined above to mission-specific and
role specific programs. The discussion below around possible planning for a new mid-career
or early career Master’s degree illustrates what that might look like if UNSW Canberra were
to undertake to prepare team leaders in advanced cyber operations for military and national
security purposes. The proposal would involve consultation with the sectors and industries the
courses are intended to support, principally but not exclusively Defence (the Australian
Defence Force and Department of Defence), other national security agencies, and the private
sector. Additional development of new courses may depend on additional funding, if only for
the Government to incentivise fully integrated learning programs. Here is how a new process
might unfold.
Mapping of the key KSA and attitudes for such a degree might ascertain, based in part on this
paper, that the main gaps in current programs UNSW Canberra programs were:
(1) Knowledge: understanding of legal aspects of cybersecurity, as applied to rules-
of-engagement for attributing sources of cyber-threat, mechanisms for referral
to authorities of suspected criminality encountered in intelligence work, and
techniques of offensive deterrence (active defence).
(2) Skills and abilities: mentored investigative or research skills in applying the
techniques used on both unclassified and real cyber-ranges in medium
complexity red v. blue exercises.
(3) Attitudes: practicums to develop successful attitudes to deal with the
uncertainty prevalent in cyber attribution, the pervasiveness of cyber-
operations, invasiveness of malicious intent and probing, and the deleterious
effects of the mostly indecisive outcomes (i.e. no win/lose or reward).
UNSW Canberra with representation from Defence and Government could negotiate with
cybersecurity industries with the necessary experience and security clearances to help develop
and oversee three different integrated workplace learning programs: one for Defence, one for
Government departments (State/Territory or Federal) and one for industries that provide
essential national services such as finance, transportation and utilities. Private sector companies
could agree to partner in developing the practicums: e.g. US Company A and UK Company B.
Stakeholders could work toward developing a formal degree program that would extend current
cybersecurity master’s programs for one year (full-time equivalent) by including specialised
integrated workplace learning programs into a second year, each of which leverages common
existing subjects into more specialised purpose specific outcomes (defence, other government,
industry—all of which have roles in cyber military operations). To raise the standard of
education with high level academic input, a new funding model could include two industry
chairs (US Industry A and UK Industry B) and two academic chairs (applied cybersecurity law
3 The author is grateful to Dr Keith Joiner, CSC, for his assistance in compiling an example to envisage how the
research findings might be applied and with what consequences.
18
& cyber-range research operations). The academic subjects for the intensive knowledge
component and practicum might be:
Semester 1 (Year 1):
o Cyber law (Applied legal Chair/Industry Chair B)
o Cyber acquisition governance (Current Academic/Industry Chair A)
o Advanced cyber security test and evaluation techniques (Current
Academic/Industry Chair A)
o Cyber Network Architectures (Current Academic/Industry Chair B)
Semester 2 (Year 1):
o Cyber Network Protections and Attributional Tools (Current
Academic/Industry Chair B)
o Cyber defensive techniques, including cooperative vulnerability testing
(Cyber-range Operations Chair/Industry Chair A)
o Cyber offensive techniques, including penetration testing) (Cyber-range
Operations Chair/Industry Chair A)
o Cyber warfare strategic dimensions (international factors, hybrid warfare,
hacker profiles, cybercrime etc) (Applied Legal Chair/Industry Chair B)
Practicum Year (Year 2)
o Research project (All)
The new programs could commence with new external funding for 25 students in each program
per year (75 total), growing by a further 25 positions in each program each year over three
years to a total of 225 per year. As the funding is provided by the government, only Australian
citizens with a minimum security clearance would be allowed, while Defence students are
subjected to additional clearances before the practicum phase. The delivery of classified
Australian-only education programs in a university setting would be problematic and would be
seen by many as contrary to the ethos of Australian universities. A cyber security institute and
the Australian Government Department of Education and Training could partner to accredit the
new integrated workplace learning program with reviews every two years. The first graduates
are presented with both a Master of Cyber Security and a cyber security institute accreditation
as high-level practitioners. The program becomes both an important feeder of graduates with
recognised KSA in cybersecurity that are sufficiently experienced more quickly than current
industry norms (i.e. 2.5 years c.f. 5 years), but could spawn replication in other cyber security
education programs within Australia and abroad.
5.3 Areas for Future Research
There are five key areas for future research which should be undertaken to further investigate
the educational outcomes and industry requirements.
What the Australian cyber security industry wants and requires from education
institutions.
Educational outcomes and industry work roles is required to accurately map the broad
requirements of the skills and education crisis.
There is a key lack of relevant data on baselines and benchmarks on the effectiveness
of cyber security education programs. More is required into investigating the relevance
of all current programs focusing on cyber security and the true requirements of industry.
19
Should there be a more hybrid model for cyber security education (a cyber security
college) incorporating aspects of higher education, vocational education and training
(VET) and industry certifications.
Further research into establishing trainee or cadetship programs or similar would be
beneficial for students to gain the necessary experience.
This research demonstrates that investigation into university courses and their alignment to
work role KSA’s provides a valuable picture for both universities, industry and policy makers
alike. Further investigation is required to ensure that all aspects, including KSA outcomes,
skills acquired from practical projects, workplace integrated learning and the course learning
outcomes are addressed more fully. This focus could ultimately shape public policy on key
cyber security issues. A nation which is cyber resilient is essential for it to truly prosper in the
digital information age.
6. Conclusion
The purpose of this research was to set out to investigate if the current Master of Cyber Security
programs were preparing students for the workforce. The results note that more needs to be
done in this space, but disruption is often hard to implement in large organisations such as
universities. The results show that while student experiences are positive, alignment of courses
offered with work role KSA’s is low. Overall, a course that moves more towards being mission-
specific, purpose-driven and closely aligned with the work role KSA’s, would greatly improve
the success of students moving into the workforce and the effectiveness of the courses offered.
Universities need to promote their programs more broadly with industry to break the current
viewpoints and perceptions. It is fair to say that in general, the relationship between industry
and universities needs to be improved particularly with respect to the development of industry-
integrated curricula, as has been argued for a decade (Koppi et al., 2008).
The requirement for purpose-driven and mission-specific cyber security education is increasing
and will continue to become more relevant. This focus enables stakeholders to establish key
educational programs and polices relevant to the particular requirement. The Cyberspace
Education Framework provides a model to view cyber security education holistically within
the public policy context. This method aims to ensure relevant pedagogical aspects are covered
and identified. This enables baselines and benchmarks to be utilised. The paper tested the
model against higher education examples and demonstrated that the model can be used for
future reviews encompassing the alignment with work role KSA’s. This can then be utilised to
create a cyberspace education maturity index that can be reviewed each year. Ongoing
evaluation is critical to identifying strengths and weaknesses in existing programs and specific
areas that need to be addressed.
In response to the initial question stipulated in this paper (are current Master of Cyber Security
programs preparing students for the workforce?), this paper demonstrates a requirement for
the realignment of courses to enable relevant work role KSA’s to be acquired by students
during their studies. The government’s strong focus on cyber resilience must be understood.
Australia has the opportunity to be a leader in cyber security education globally. This potential
needs to be viewed with disruption in mind, with universities being open to new ways of
operating in partnerships with industry. The requirement for universities to produce highly
skilled post-graduates with the job ready skills needed should be viewed as an opportunity and
the way forward.
20
References
Alvarez, I., Silva, N. and Correia, L. (2016). Cyber education. SIGCAS Comput. Soc.,
[online] 45(3), p. 185-192. Available at: http://dl.acm.org/citation.cfm?id=2874266
[Accessed 28 Nov. 2016].
Amankwa, E., Loock, M. and Kritzinger, E. (2014). A conceptual analysis of information
security education, information security training and information security awareness
definitions. The 9th International Conference for Internet Technology and Secured
Transactions (ICITST-2014).
Amankwa, E., Loock, M. and Kritzinger, E. (2015). Enhancing information security
education and awareness: Proposed characteristics for a model. 2015 Second
International Conference on Information Security and Cyber Forensics (InfoSec).
Andel, T. and McDonald, J. (2013). A Systems Approach to Cyber Assurance
Education. Proceedings of the 2013 on InfoSecCD '13 Information Security Curriculum
Development Conference - InfoSecCD '13.
Armstrong, H., Dodge, R. and Armstrong, C. (2013). Reaching Today’s Information Security
Students. Information Assurance and Security Education and Training, [online] p. 218-
225. Available at: http://link.springer.com/chapter/10.1007%2F978-3-642-39377-8_25
[Accessed 18 Dec. 2016].
Austin, G. (2016). Australia Rearmed! Future Needs for Cyber-Enabled Warfare.
[Discussion Paper 1] Australian Centre for Cyber Security, UNSW Canberra. Available
at: https://www.unsw.adfa.edu.au/australian-centre-for-cyber-
security/sites/accs/files/uploads/DISCUSSION%20PAPER%20AUSTRALIA%20REAR
MED.pdf [Accessed 1 Feb. 2017].
Austin, G. (2017). Cyber Security Formation: An Educational Maturity Model for
Australia. Unpublished note.
Austin, G. and Slay, J. (2016). Australia's Response to Advanced Technology Threats: An
Agenda for the Next Government. [Discussion Paper 3] Australian Centre for Cyber
Security, UNSW Canberra. Available at: https://www.unsw.adfa.edu.au/australian-
centre-for-cyber-
security/sites/accs/files/uploads/ADVANCED%20TECHNOLOGY%20THREATS%20
AND%20AUSTRALIA%2030%20May%202106mediaversion.pdf [Accessed 1 Feb.
2017].
Australian Cyber Security Growth Network. (2017). Cyber Security Sector Competitiveness
Plan - Australian Cyber Security Growth Network. [online] Available at:
https://www.acsgn.com/cyber-security-sector-competitiveness-plan/ [Accessed 1 Jun.
2017].
Australian Government Department of Employment (2017). Unpaid Work Experience in
Australia Prevalence, nature and impact. [online] Australian Government. Available at:
https://docs.employment.gov.au/system/files/doc/other/unpaid_work_experience_report_
-_december_2016.pdf [Accessed 1 Mar. 2017].
Australian Information Security Association (2017). The Australian Cyber Security Skills
Shortage Study 2016. AISA Research Report. [online] Available at:
https://www.aisa.org.au/Public/Training_Pages/Research/AISA%20Cyber%20security%
20skills%20shortage%20research.aspx?New_ContentCollectionOrganizerCommon=3#
New_ContentCollectionOrganizerCommon [Accessed 1 Mar. 2017].
Coag.gov.au. (2017). COAG meeting Communiqué, 9 December 2016 | Council of Australian
Governments. [online] Available at: http://www.coag.gov.au/meeting-outcomes/coag-
meeting-communiqué-9-december-2016 [Accessed 1 Feb. 2017].
21
Conklin, W., Cline, R. and Roosa, T. (2014). Re-engineering Cybersecurity Education in the
US: An Analysis of the Critical Factors. 2014 47th Hawaii International Conference on
System Sciences. [online] Available at:
http://ieeexplore.ieee.org/stamp/stamp.jsp?reload=true&arnumber=6758852 [Accessed 4
Dec. 2016].
Cooper, S., Hoffman, L., Pérez, L., Pfleeger, C., Raines, R., Schou, C., Brynielsson, J.,
Nickell, C., Piotrowski, V., Oldfield, B., Abdallah, A., Bishop, M., Caelli, B., Dark, M.
and Hawthorne, E. (2010). An exploration of the current state of information assurance
education. ACM SIGCSE Bulletin, [online] 41(4), p.109. Available at:
http://delivery.acm.org.wwwproxy1.library.unsw.edu.au/10.1145/1710000/1709457/p10
9-
cooper.pdf?ip=149.171.67.148&id=1709457&acc=ACTIVE%20SERVICE&key=65D8
0644F295BC0D%2EB811333C2AA88C82%2E4D4702B0C3E38B35%2E4D4702B0C
3E38B35&CFID=870600112&CFTOKEN=26123292&__acm__=1482056585_11a76a
18c179ee4aa8d75e5128b45db5 [Accessed 18 Dec. 2016].
csrc.nist.gov. (2016). The National Initiative for Cybersecurity Education (NICE). [online]
Available at: http://csrc.nist.gov/nice/education.html [Accessed 28 Nov. 2016].
Cybersecuritystrategy.dpmc.gov.au. (2016). Resources - Cyber Security Strategy - DPMC.
[online] Available at: https://cybersecuritystrategy.dpmc.gov.au/resources/index.html
[Accessed 28 Nov. 2016].
Cybersecuritystrategy.pmc.gov.au. (2017). Cyber Security Strategy - DPMC. [online]
Available at: https://cybersecuritystrategy.pmc.gov.au/first-annual-update/ [Accessed 1
Jun. 2017].
Deakin.edu.au. (2017). Master of Cyber Security | Deakin. [online] Available at:
http://www.deakin.edu.au/course/master-cyber-security [Accessed 1 Feb. 2017].
ECU. (2017). Master of Cyber Security. [online] Available at:
http://www.ecu.edu.au/degrees/courses/master-of-cyber-security [Accessed 1 Feb.
2017].
Education.gov.au. (2017). Academic Centres of Cyber Security Excellence (ACCSE) |
Department of Education and Training. [online] Available at:
https://www.education.gov.au/academic-centres-cyber-security-excellence-accse
[Accessed 1 Jul. 2017].
Hentea, M. and Dhillon, H. (2006). Towards Changes in Information Security
Education. Journal of Information Technology Education, [online] 5, p. 221-233.
Available at: http://jite.informingscience.org/documents/Vol5/v5p221-
233Hentea148.pdf [Accessed 4 Dec. 2016].
Huang, Z., Shen, C., Doshi, S., Thomas, N. and Duong, H. (2015). Cognitive Task Analysis
Based Training for Cyber Situation Awareness. Information Security Education Across
the Curriculum, p. 27-40.
Kessler, G. and Ramsay, J. (2013). Paradigms for Cybersecurity Education in a Homeland
Security Program. Journal of Homeland Security Education, [online] 2, p. 35-44.
Available at: http://www.journalhse.org/sft710/kesslerramsayjhsearticlefinal.pdf
[Accessed 4 Dec. 2016].
Koppi, A., Naghdy, F., Chicharo, J., Sheard, J., Edwards, S. and Wilson, D. (2008). The crisis
in ICT education: an academic perspective. In: Annual Conference of the Australasian
Society for Computers in Learning in Tertiary Education. [online] Available at:
http://ro.uow.edu.au/infopapers/901/ [Accessed 28 Nov. 2016].
Koppi, T., Edwards, S., Sheard, J., Brooke, W. and Naghdy, F. (2010). The case for ICT
work-integrated learning from graduates in the workplace. In: 12th Australasian
Computing Education Conference. [online] Available at:
22
https://opus.lib.uts.edu.au/bitstream/10453/19326/1/2011001487.pdf [Accessed 28 Nov.
2016].
Lehto, M. (2016). Cyber Security Education and Research in the Finland's Universities and
Universities of Applied Sciences. International Journal of Cyber Warfare and Terrorism
(IJCWT), 6(2), 15-31. [online] Available at: https://www-igi-global-
com.wwwproxy1.library.unsw.edu.au/gateway/article/full-text-html/152645 pdf
[Accessed 28 Nov. 2016].
Locasto, M., Ghosh, A., Jajodia, S. and Stavrou, A. (2011). The ephemeral
legion. Communications of the ACM, [online] 54(1), p.129. Available at:
http://cacm.acm.org/magazines/2011/1/103201-the-ephemeral-legion-producing-an-
expert-cyber-security-work-force-from-thin-air/abstract [Accessed 4 Dec. 2016].
Manson, D. and Pike, R. (2014). The case for depth in cybersecurity education. ACM
Inroads, [online] 5(1), p. 47-52. Available at: http://10.1145/2568195.2568212
[Accessed 4 Dec. 2016].
Martin, P. (2015). Cyber Security Education, Qualifications and Training. Engineering &
Technology Reference. [online] Available at:
https://pure.royalholloway.ac.uk/portal/files/25218802/IETEducationTraining.pdf.
McGettrick, A. (2013). Toward Curricular Guidelines for Cybersecurity. Report of a
Workshop on Cybersecurity. [online] Association for Computing Machinery. Available
at: http://www.acm.org/education/TowardCurricularGuidelinesCybersec.pdf [Accessed 4
Dec. 2016].
McGettrick, A. (2013). Toward Effective Cybersecurity Education. IEEE Security & Privacy,
11(6), p. 66-68.
Miloslavskaya, N. and Tolstoy, A. (2015). Professional Competencies Level Assessment for
Training of Masters in Information Security. Information Security Education Across the
Curriculum, p. 135-145.
Naghdy, F., Koppi, A. and Chicharo, J. (2007). ICT education: challenge of accommodating
change. In: Innovations in Information and Communications Technologies, 2007.
[online] Available at: http://ro.uow.edu.au/infopapers/899/ [Accessed 28 Nov. 2016].
Newhouse, B., Keith, S., Scribner, B. and Witte, G. (2017). Draft NIST Special Publication
800-181. [online] circa.nist.gov. Available at:
http://csrc.nist.gov/publications/drafts/800-181/sp800_181_draft.pdf [Accessed 1 Mar.
2017].
NICE (2016). NICE Strategic Plan. [online] Available at:
http://csrc.nist.gov/nice/documents/nicestratplan/NICE_Strategic_Plan_%202016.pdf
[Accessed 28 Nov. 2016].
NIST. (2016). NICE Framework Provides Resource for a Strong Cybersecurity Workforce.
[online] Available at: https://www.nist.gov/news-events/news/2016/11/nice-framework-
provides-resource-strong-cybersecurity-workforce [Accessed 28 Nov. 2016].
Skills and Attributes of IT Graduates: Evidence from Employer’s Perspective. (2016).
In: Twenty-second Americas Conference on Information Systems. [online] Available at:
http://aisel.aisnet.org/cgi/viewcontent.cgi?article=1260&context=amcis2016 [Accessed
28 Nov. 2016].
Slay, J. (2016). Training and education for cyber security, cyber defence and cyber
warfare. United Service, [online] 67(3), p. 24-26,31. Available at:
http://search.informit.com.au/documentSummary;dn=301424020269498;res=IELHSS
[Accessed 28 Nov. 2016].
Students First. (2016). Strengthening the Australian Curriculum. [online] Available at:
https://www.studentsfirst.gov.au/strengthening-australian-curriculum [Accessed 28 Nov.
2016].
23
Ucd.ie. (2017). MSc in Forensic Computing & Cybercrime Investigation | UCD Centre for
Cybersecurity & Cybercrime Investigation. [online] Available at:
http://www.ucd.ie/cci/education/prospective_students/fcci_programmes/msc_fcci.html
[Accessed 1 Feb. 2017].
Unsw.adfa.edu.au. (2017). Master of Cyber Security (8628) | UNSW Canberra. [online]
Available at: https://www.unsw.adfa.edu.au/degree/postgraduate-coursework/master-
cyber-security-8628 [Accessed 1 Feb. 2017].
Vogel, R. (2016). Closing The Cybersecurity Skills Gap. Salus Journal, [online] 4(2), p. 32-
46. Available at: http://www.salusjournal.com/wp-
content/uploads/sites/29/2016/05/Vogel_Salus_Journal_Volume_4_Number_2_2016_pp
_32-46.pdf [Accessed 28 Nov. 2016].